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(57) A protocol for authenticating a mobile cus- 
tomer unit to a service provider where signaling 
messages are encrypted and where voice com- 
munications can be encrypted. A service pro- 
vider assigns to each mobile customer unit a 
unique "secret", along with other information 
such as a telephone number. At the pleasure of 
the service provider, a directive is sent to the 
mobile customer unit to create a shared secret 
datum based on the secret The shared secret 
datum is created with the aid of a bit string that 
is sent for that purpose by the provider. A 
portion of the created shared secret datum is 
used for encrypting speech and the same or 
other portion of the created shared secret 
datum is used as an input to a process for 
creating a second encryption key. That key is 
employed in the mobile customer unit to en- 
code those of the control signals generated by 
the mobile customer unit that affect the nature 
of the call in progress. 
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Background of the Invention 

This invention relates to authentication protocols 
and more particularly to protocols for insuring validity 
of communicating radio-telephones and the like. 

In conventional telephony each telephone set 
(fax unit, modem, etc) is physically connected to a 
unique port on a switch at a local central once. The 
connection is through a dedicated wire, or through a 
designated channel on a dedicated wire. The wire 
connection is installed by the service provider (who, 
typically, is the common carrier) and, therefore, the 
service provider can be reasonably sure that trans- 
mission on the channel arrives from the subscriber. 
By comparison, authentication of a subscriber in wire- 
less telephony is less certain. 

Under the current cellular telephony arrange- 
ment in the United States, when a cellular telephone 
subscriber places a call, his or her cellular telephone 
indicates to the service provider the identity of the 
caller for billing purposes. This information is not en- 
crypted. If an interloper eavesdrops at the right time, 
he or she can obtain the subscriber's identification in- 
formation. This includes the subscriber's phone num- 
ber and the electronic serial number (ESN) of the sub- 
scriber's equipment. Thereafter, the interloper can 
program his or her cellular telephone to impersonate 
that bona fide subscriber to fraudulently obtain ser- 
vices. Alternately, an interloper can inject himself into 
an established connection, overpower the customer's 
cellular telephone equipment by transmitting more 
power, and redirect the call to his or her purposes by 
sending certain control codes to the service provider. 
Basically, such piracy will succeed because the ser- 
vice provider has no mechanism for independently 
authenticating the identity of the caller at the time the 
connection is established and/or while the connection 
is active. 

Technology is available to permit an eavesdrop- 
per to automatically scan all of the cellular frequen- 
cies in a given cell for such identification information. 
Consequently, piracy of cellular telephone services is 
rampant Also, the lack of enciphering of the speech 
signals lays bare to eavesdroppers the content of 
conversations. In short, there is a clear and present 
need for effective security measures in the cellular 
telephony art, and that suggests the use of cryptolo- 
gy for the purposes of ensuring authentication and 
privacy. 

Several standard cryptographic methods exist for 
solving the general sort of authentication problem 
that exists in cellular telephony, but each turns out to 
have practical problems. First a classical chal- 
lenge/response protocol may be used, based on a pri- 
vate key cryptographic algorithm. In this approach, a 
subscriber's mobile station is issued with a secret key 
which also known by the home system. When a serv- 
ing system wishes to authenticate a subscriber, it ap- 



plies to the home system for a challenge and a re- 
sponse to use with the given subscriber. The home 
system composes a random challenge and applies a 
one-way function to the challenge concatenated with 

5 the subscribers key to obtain the corresponding re- 
sponse. The challenge and response are supplied to 
the serving system, which issues the challenge to the 
mobile station. The mobile station in turn replies with 
the response, which it calculates from the challenge 

10 and from its stored secret key. The serving system 
compares the responses supplied by the home sys- 
tem and by the mobile station, and if they match, the 
mobile station is deemed authentic. 

The problem with this approach is that often the 

15 serving system is unable to contact the home system 
quickly enough to allow authentication of a call setup, 
or that the database software on the home system is 
unable to look up the subscriber's secret key and 
compose the challenge/response pair quickly 

20 enough. Network or software delays of a second or 
two would add that much dead time till the subscriber 
hears a dial tone after picking up the handset when 
placing a call, and longer delays (given the control 
networks and switching apparatus currently used by 

25 cellular providers) would be common. In the present 
milieu, such delays are unacceptable. . 

Public key cryptography provides another stan- 
dard class of ways for solving authentication prob- 
lems. Generally speaking, each mobile station would 

30 be provided with a "public key certificate " of identity, 
signed by the public key of the service provider, stat- 
ing that the mobile station is a legitimate customer of 
the service provider. In addition, each mobile would 
also be given secret data (private keys) which it can 

35 use, together with the certificate, to prove to third 
parties (such as the serving system) that it is a legit- 
imate customer. 

For example, service provider could have a pair 
of RSA keys, (F t G) t with F private and G public. The 

40 service provider could supply each mobile with its 
own pair (D,E) of RSA keys, together with F(E) (the 
encryption of the mobile's public key E using the pro- 
vider's private key F). Then a mobile asserts its iden- 
tity by sending(E,F(EJt) to the serving system. The 

45 serving system applies G to F(E) to obtain E. The 
serving system generates a challenge X, encrypts it 
with the mobile's public key E to obtain E(X) which it 
sends to the mobile. The mobile applies its private 
keyD to E(X) to obtain X, which it sends back to the 

so server in the clear as a response. 

Although some variations on this theme involve 
less computation or data transmission than others, no 
public key authentication scheme yet exists which is 
efficiently executable in less than a second's time on 

55 the sort of hardware currently used in cellular tele- 
phones. Even though network connectivity between 
the serving and home systems is not needed at the 
moment of authentication, as it is in the classical ap- 



2 



EP 0 532 226 A2 



y 



proach, the same time constraints which rule out the 
classical approach also rule out the public key ap- 
proach. 

Another technique is proposed by R.M Needham 
and M.D. Schroeder in Using Encryption for Authen- 
tication in Large Computer Networks , Comm. of the 
ACM, Vol. 21, No. 12, 993-999 (Dec. 1978). In brief, 
the Needham-Schroeder technique requires that a 
third, trusted, party (AS) should serve as an authen- 
tication server which distributes session keys to the 
prospective parties (A and B) who are attempting to 
establish secure communications. The protocol is as 
follows: when party A wishes to communicate with 
party B, it sends to authentication server AS his own 
name, the name of party B and a transaction identi- 
fier. Server AS returns the name of party B, a session 
key, the transaction identifier and a message en- 
crypted with B's key. All that information is encrypted 
with As key. Party A receives the information, de- 
crypts it, selects the portion that is encrypted with B's 
key and forwards that portion to party B. Party B de- 
crypts the received messages and finds in it the 
name of party A and the session key. A last check (to 
prevent "replays") is made by party B issuing a chal- 
lenge to party Aand party A replies, using the session 
key. A match found at party B authenticates the iden- 
tity of party A. 

Summary of the Invention 

The security needs of cellular telephony are met 
with an arrangement that depends on a shared secret 
data field. The mobile unit maintains a secret that is 
assigned to it by the service provider, and generates 
a shared secret data field from that secret The ser- 
vice provider also generates the shared secret data 
field. When a mobile unit enters the cell of a base sta- 
tion, it identifies itself to the base station, and sup- 
plies to the base station a hashed authentication 
string. The base station consults with the provider, 
and if it is determined that the mobile unit is a bona 
fide unit, the provider supplies the base station with 
the shared secret data field. Thereafter the mobile 
unit communicates with the base station with the as- 
sistance of authentication processes that are carried 
out between the mobile unit and the base station, us- 
ing the shared secret data field. 

One feature of this arrangement is that the vari- 
ous base stations do not have access to the secret 
that was installed in the mobile unit by the provider. 
And, only the base stations which successfully inter- 
acted with the mobile unit have the shared secret 
data field. 

On the other hand, the more time consumming 
authentication process that utilizes the secret, which 
takes place only through involvement of the provider, 
occurs only infrequently, when a mobile unit first en- 
ters the cell (or when it is suspected that the shared 



secret data field has been compromised). 

In accordance with the principles of this inven- 
tion, both the mobile unit and the base station employ 
a portion of the shared secret data field to create a 

5 pair of encryption keys. The first encryption key in the 
pair is used by the mobile unit to encrypt speech and 
is used by the base station to decrypt speech. The 
second encryption key in the pair is used by the base 
station to encrypt speech and is used by the mobile 

10 unit to decrypt speech. 

The same hash function that is used to create the 
shared secret data field is used to create the pair of 
encryption keys. 

Control messages that are encrypted are en- 

15 crypted through three successive transformations 
that yield a self inverting encryption process. In the 
first transformation a randomized constant is added 
to each word of the message to be encrypted. The 
constant is related to a hashed string which comprises 

20 a portion of the shared secret data field and which is 
hashed with the hash function employed when deriv- 
ing the shared secret data field. In the second trans- 
formation the set of words that make up the control 
message (as modified by the first transformation) are 

25 divided into a first half and a second half, and the first 
half is modified based in part on the second half. In 
the third transformation a randomized constant is 
subtracted from each word of the message (as modi- 
fied by the second transformation) to be encrypted 

30 Again, the constant is related to a hashed string which 
comprises a portion of the shared secret data field 
and which is hashed with the hash function employed 
when deriving the shared secret data field. 

35 Brief Description of the Drawing 

FIG. 1 illustrates an arrangement of network pro- 
viders and cellular radio providers interconnected 
for service to both stationary and mobile tele- 
40 phones and the like; 

FIG. 2 depicts the process for directing the crea- 
tion of a shared secret data field and the verifi- 
cation of same; 

FIG. 3 depicts the registration process in a visited 
45 base station, for example, when the mobile unit 

first enters the cell serviced by the base station; 
FIG. 4 shows the elements that are concatenated 
and hashed to create the shared secret data; 
FIG. 5 shows the elements that are concatenated 
so and hashed to create the verification sequence; 
FIG. 6 shows the elements that are concatenated 
and hashed to create the registration sequence 
when the mobile unit goes on the air; 
FIG. 7 shows the elements that are concatenated 
55 and hashed to create the call initiation sequence; 

FIG. 8 depicts the speech encryption and de- 
cryption process in a mobile unit; 
FIG. 9 shows the elements that are concatenated 
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and hashed to create the re-authentication se- 
quence; 

FIG. 10 illustrates the three stage process for en- 
crypting and decrypting selected control and 
data messages; and 

FIG. 11 presents a block diagram of a mobile 
unit's hardware. 

Detailed Description 

In a mobile cellular telephone arrangement there 
are many mobile telephones, a much smaller number 
of cellular radio providers (with each provider having 
one or more base stations) and one or more switching 
network providers (common carriers). The cellular ra- 
dio providers and the common carriers combine to al- 
low a cellular telephone subscriber to communicate 
with both cellular and non-cellular telephone sub- 
scribers. This arrangement is depicted diagrammati- 
cally in FIG. 1, where common carrier I and common 
carrier II combine to form a switching network com- 
prising switches 10-14. Stationary units 20 and 21 are 
connected to switch 10, mobile units 22 and 23 are 
free to roam, and base stations 30-40 are connected 
to switches 10-14. Base stations 30-34 belong to pro- 
vider 1, base stations 35 and 36 belong to provider 2, 
base station 37 belongs to provider 4, and base sta- 
tions 38-40 belong to provider 3. For purposes of this 
disclosure, a base station is synonymous with a cell 
wherein one or more transmitters are found. A collec- 
tion of cells makes up a cellular geographic service 
area (CGSA) such as, for example, base stations 30, 
31, and 32 in FIG. 1. 

Each mobile unit has an electronic serial number 
(ESN) that is unique to that unit. The ESN number is 
installed in the unit by the manufacturer, at the time 
the unit is built (for example, in a read-only-memory), 
and it is unalterable. It is accessible, however. 

When a customer desires to establish a service 
account for a mobile unit that the customer owns or 
leases, the service provider assigns to the customer 
a phone number (MINI designation), an area code 
designation (MIN2 designation) and a " secret" (A- 
key). The MINI and MIN2 designations are associat- 
ed with a given CGSA of the provider and all base sta- 
tions in the FIG. 1 arrangement can identify the 
CGSA to which a particular MIN2 and MINI pair be- 
longs. The A-key is known only to the customer's 
equipment and to the provider's CGSA processor (not 
explicitly shown in FIG. 1). The CGSA processor 
maintains the unit's ESN, A-key, MINI and MIN2 des- 
ignations and whatever other information the service 
provider may wish to have. 

With the MINI and the MIN2 designations and 
the A-key installed, the customer's unit is initialized 
for service when the CGSA processor sends to the 
mobile unit a special random sequence (RANDSSD), 
and a directive to create a "shared secret data 0 (SSD) 



field. The CGSA sends the RAnDSSD, and the SSD 
field generation directive, through the base station of 
the cell where the mobile unit is present Creation of 
the SSD field follows the protocol described in FIG. 
5 2. 

As an aside, in the FIG. 1 arrangement each base 
station broadcasts information to all units within its 
cell on some preassigned frequency channel (broad- 
cast band). In addition, it maintains two way commu- 
te* nications with each mobile unit over a mutually 
agreed, (temporarily) dedicated channel. The manner 
by which the base station and the mobile unit agree 
on the communications channel is unimportant to this 
invention, and hence it is not described in detail here- 
15 in. One approach may be, for example, for the mobile 
unit to scan all channels and select an empty one. It 
would then send to the base station its MIN2 and 
MINI designations (either in plaintext form or enci- 
phered with a public key), permitting the base station 
20 to initiate an authentication process. Once authenti- 
cated communication is established, if necessary, 
the base station can direct the mobile station to 
switch to another channel. 

As described in greater detail hereinafter, in the 
25 course of establishing and maintaining a call on a mo- 
bile telephony system of this invention, an authenti- 
cation process may be carried out a number of times 
throughout the conversation. Therefore, the authen- 
tication process employed should be relatively se- 
30 cure and simple to implement To simplify the design 
and lower the implementation cost, both the mobile 
unit and the base station should use the same proc- 
ess. 

Many authentication processes use a hashing 
35 function, or a one-way function, to implement the 
processes. A hashing function performs a many-to- 
one mapping which converts a "secret" to a signature. 
The following describes one hashing function that is 
simple, fast, effective, and flexible. It is quite suitable 
40 for the authentication processes of this invention but, 
of course, other hashing functions can be used. 

The Jumble Process 

45 The Jumble process can create a "signature" of 

a block of d "secret" data words b(i), with the aid of a 
k-word key x(j). where d, i, j, and k are integers. The 
"signature" creation process is carried out on one 
data word at a time. For purposes of this description, 

so the words on which the Jumble process operates are 
8 bits long (providing a range from 0 to 255, inclusive), 
but any other word size can be employed. The "se- 
cret" data block length is incorporated in the saw 
tooth function 

55 Stfft) = fforO^of- 1 

$d(t) = 2d-2-fforc££i2d-3,and 
S d (t) = S^+2d-2)forall t 
This function is used in the following process where, 
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starting with z=0 and i=0, for successively increasing 
integer values of i in the range 0^6d - 5, 

a) b(S<s(0) is updated by: 

bfSM = b(SM + xQ*) + SBOX(z) mod 256 
where 

* i k is i modulo k, SBOX(z) =/ + [y/2048] mod 
256, 

*y=(z©16)(z+111)(z), 

* [y/2048] is the integer portion of y divided by 
2048, and ® represents the bit-wise Exclu- 
sive-OR function; and 

b) z is updated with: z = z +b(S d (i)) mod 256. 

It may be appreciated that in the process just de- 
scribed there is no real distinction between the data 
and the key. Therefore, any string that is used for au- 
thentication can have a portion thereof used as a key 
for the above process. Conversely, the data words 
concatenated with the key can be considered to be 
the "authentication string". It may also be noted that 
each word b(i), where 0 ^ i ^ d is hashed individually, 
one at a time, which makes the hashing "in place". No 
additional buffers are needed for the hashing process 
perse. 

The process just described can be easily carried 
out with a very basic conventional processor, since 
the only operations required are: shifting (to perform 
the division by 2048), truncation (to perform the [ ] 
function and the mod 256 function), addition, multipli- 
cation, and bit-wise Exclusive-OR functions. 

Returning to the SSD field initialization process 
of FIG. 2, when a RANDSSD sequence and the direc- 
tive to create a new SSD field (arrow 100 in FIG. 2) 
are received by the mobile station, a new SSD field 
is generated in accordance with FIG. 4. The mobile 
unit concatenates the ESN designation, the A-key, 
and the RANDSSD sequence to form an authentica- 
tion string. The authentication string is applied to 
Jumble block 101 (described above) which outputs 
the SSD field. The SSD field comprises two sub- 
fields: the SSD- A subfield which is used to support 
authentication procedures, and the SSD-B subfield 
which is used to support voice privacy procedures 
and encryption of some signaling messages (descri- 
bed below). It may be noted that a larger number of 
SSD subfields can be created; either by subdividing 
the SSD field formed as described above or by first 
enlarging the SSD field. To increase the number of 
bits in the SSD field one needs only to start with a 
larger number of data bits. As will beappreciated from 
the disclosure below, that is not a challenging require- 
ment. 

The home CGSA processor knows the ESN and 
the A-key of the mobile unit to which the received 
MIN2 and MINI designations were assigned. It also 
knows the RANDSSD sequence that it sent. There- 
fore, the home CGSA processor is in position to du- 
plicate the SSD field creation process of the mobile 
unit By concatenating the RANDSSD signal with the 



ESN designation and the A-key, and with the above- 
described Jumble process, the CGSA processor cre- 
ates a new SSD field and partitions it into SSD- A and 
SSD-B subfields. However, the SSD field created in 

5 the home CGSA processor must be verified. 

In accordance with FIG. 2, verification of the cre- 
ated SSD field is initiated by the mobile unit. The mo- 
bile unit generates a random challenge sequence 
(RANDBS sequence) in block 102 and sends it to the 

10 home CGSA processor through the serving base sta- 
tion (the base station that serves the area in which 
the mobile unit is located). In accordance with FIG. 5, 
the home CGSA processor concatenates the chal- 
lenge RANDBS sequence, the ESN of the mobile 

15 unit, the MINI designation of the mobile unit, and the 
newly created SSD- A to form an authentication string 
which is applied to the Jumble process. In this in- 
stance, the Jumble process creates a hashed authen- 
tication signal AUTHBS which is sent to the mobile 

20 station. The mobile station also combines the 
RANDBS sequence, its ESN designation, its MINI 
designation and the newly created SSD- A to form an 
authentication string that is applied to the Jumble 
process. The mobile station compares the result of its 

25 Jumble process to the hashed authentication signal 
(AUTHBS) received from the home CGSA processor. 
If the comparison step (block 104) indicates a match, 
the mobile station sends a confirmation message to 
the home CGSA processor indicating the success of 

30 the update in the SSD field. Otherwise, the mobile 
station reports on the failure of the match compari- 
son. 

Having initialized the mobile station, the SSD 
field remains in force until the home CGSA processor 

35 directs the creation of a new SSD field. That can oc- 
cur, for example, if there is reason to believe that the 
SSD field has been compromised. At such a time, the 
home CGSA processor sends another RANDSSD se- 
quence to the mobile unit, and a directive to create a 

40 new SSD field. 

As mentioned above, in cellular telephony each 
base station broadcasts various informational signals 
for the benefit of all of the mobile units in its cell. In 
accordance with FIG. 1 management, one of the sig- 

45 nals broadcast by the base station is a random or 
pseudorandom sequence (RAND sequence). The 
RAND sequence is used by various authentication 
processes to randomize the signals that are created 
and sent by the mobile units. Of course, the RAND se- 

so quence must be changed periodically to prevent re- 
cord/playback attacks. One approach for selecting 
the latency period of a RAND signal is to make it 
smaller than the expected duration of an average call. 
Consequently, a mobile unit, in general, is caused to 

55 use different RAND signals on successive calls. 

In accordance with one aspect of this invention, 
as soon as the mobile unit detects that it enters a cell 
it registers itself with the base unit so that it can be 



5 



EP 0 532 226 A2 



10 



authenticated. Only when a mobile unit is authenti- 
cated can it initiate calls, or have the base station di- 
rect calls to it 

When the mobile unit begins the registration 
process it accepts the RAND sequence broadcast by 5 
the base station and, in turn, it sends to the serving 
base station its MINI and MIN2 designations and its 
ESN sequence (in plaintext) as well as a hashed au- 
thentication string. According to FIG. 6, the hashed 
authentication sting is derived by concatenating the 10 
RAND sequence, the ESN sequence, the MINI des- 
ignation and the SSD-A subf ield to form an authen- 
tication string; and applying the authentication string 
to the Jumble process. The hashed authentication 
string at the output of the Jumble process is sent to is 
the serving base station together with the ESN se- 
quence. 

In some embodiments, all or part of the RAND se- 
quence used by the mobile unit is also sent to the 
serving base station (together with the ESN se- 20 
quence and the MINI and MIN2 designations), be- 
cause the possibility exists that the RAND value has 
changed by the time the hashed authentication string 
reaches the base station. 

On the base station side, the serving base sta- 25 
tion knows the RAND sequence (because the base 
station created it) and it also knows the ESN and the 
MIN2 and MINI designations with which the mobile 
unit identified itself. But, the serving base station 
does nor know the SSD field of the mobile unit. What 30 
it does know is the identity of the mobile unifs home 
CGSA processor (from the MINI and MIN2 designa- 
tions). Consequently, it proceeds with the authenti- 
cation process by sending to the mobile unifs home 
CGSA processor the MINI designation, the ESN se- 35 
quence, the hashed authentication string that the 
mobile unit created and transmitted, and the RAND 
sequence that the serving base station broadcast 
(and which the mobile unit incorporated in the created 
hashed authentication string). From the mobile unifs 40 
MINI designation and ESN sequence the home 
CGSA processor knows the mobile unifs identity and, 
hence, the mobile unifs SSD-A subf ield. Therefore it 
can proceed to create an authentication string just as 
the mobile unit did, and apply it to the fumble process 45 
(FIG. 6). If the hashed authentication string created 
by the mobile unifs home CGSA processor matches 
the hashed authentication string created in the mo- 
bile unit and supplied by the serving base station, 
then verification is deemed successful. In such a so 
case, the home CGSA processor supplies the serving 
base station with the unifs SSD field. As an aside, to 
keep the ESN designation and the SSD field secure, 
the communication between the base stations and 
the CGSA processor is carried in encrypted form. 55 

In the above-described protocol, the mobile unifs 
CGSA processor attempts to verify the validity of the 
hashed authentication string. When the verification is 



unsuccessful, the CGSA processor informs the serv- 
ing base station that the mobile unit was not authen- 
ticated and may suggest that either the contact with 
the mobile unit be dropped or that the mobile unit be 
directed to retry the registration process. To retry the 
registration process the home CGSA processor can 
either continue participation in the authentication 
process or it can delegate it to the serving base sta- 
tion. In the latter alternative, the serving base station 
informs the home CGSA processor of the ESN se- 
quence and the MINI designation of the mobile unit, 
and the CGSA processor responds with the SSD field 
of the mobile unit and the RANDSSD with which the 
SSD field was created. Authentication, in the sense 
of creating a hashed authentication string and com- 
paring it to the hashed authentication string sent by 
the mobile unit, is then carried out by the serving 
base station. A retry directive can then be carried out 
without the home CGSA process by the serving sta- 
tion sending the RANDSSD to the mobile unit. This 
"registration" protocol is depicted in FIG. 3. 

Once the mobile unit has been "registered" at the 
serving base station (via the above-described proc- 
ess) the serving base station possesses the ESN and 
the SSD field of the mobile unit and subsequent au- 
thentication processes in that cell can proceed in the 
serving base station without reference to the home 
CGSA processor - except one. Whenever, for any 
reason, it is desirable to alter the SSD field, commu- 
nication is effectively between the home CGSA proc- 
essor and the mobile unit; and the serving base sta- . 
tion acts only as a conduit for this communication. 
That is because creation of a new SSD field requires 
an access to the secret A-key, and access to the A- 
key is not granted to anyone by the CGSA processor. 
Accordingly, when a new SSD field is to be created 
and the mobile unit is not in the area of the home 
CGSA, the following occurs: 

. the home CGSA processor creates a 
RANDSSD sequence and alters the SSD field 
based on that RANDSSD sequence, 
. the home CGSA processor supplies the serv- 
ing base station with the RANDSSD sequence 
and the newly created SSD field, 
. the serving base station directs the mobile unit 
to alter its SSD field and provides the mobile unit 
with the RANDSSD sequence, 
. the mobile unit alters the SSD field and sends 
a challenge to the serving base station, 
. the serving base station creates the AUTHBS 
string (described above) and sends it to the mo- 
bile unit, and 

. the mobile unit verifies the AUTHBS string and 
informs the serving base station that both the 
mobile unit and the serving base station have the 
same SSD fields. 

Having been registered by the serving base sta- 
tion, the mobile unit can initiate calls with an authen- 
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tication process as depicted in FIG. 7. The call initia- 
tion sequence concatenates signals RAND, ESN, 
SSD-A and at least some of the called party's identi- 
fication (phone) number (MIN3 in FIG. 7). The concat- 
enated signals are applied to the Jumble process to 5 
develop a hashed authentication sequence that can 
be verified by the serving base station. Of course, to 
permit verification at the serving base station, the 
called party's identification number must also be 
transmitted in a manner that can be received by the 10 
base station (and, as before, perhaps a portion of the 
RAND signal), i.e., in plaintext. Once the authentica- 
tion sequence is verified, the base station can proc- 
ess the call and make the connection to the called 
party. is 

The protocol for connecting to a mobile unit when 
it is a "called party 0 follows the registration protocol 
of FIG. 6. That is, the serving base station requests 
the called mobile station to send an authentication 
sequence created from the RAND sequence, ESN 20 
designation, MINI designation and SSD-A subf ield. 
When authentication occurs, a path is setup between 
the base station and the called party mobile unit, for 
the latter to receive data originating from, and send 
data to, the mobile unit (or stationary unit) that origin- 25 
ated the call. 

It should be noted that all of the authentications 
described above are effective only (in the sense of 
being verified) with respect to the authenticated 
packets, or strings, themselves. To enhance security 30 
at other times, three different additional security 
measures can be employed. They are speech encryp- 
tion, occasional re-authentication, and control mes- 
sage encryption. 

35 

Speech Encryption 

The speech signal is encrypted by first convert- 
ing it to digital form. This can be accomplished in any 
number of conventional ways, with or without com- 40 
pression, and with or without error correction codes. 
The bits of the digital signals are divided into succes- 
sive groups of K bits and each of the groups is en- 
crypted. More specifically, in both the mobile unit and 
the base station the RAND sequence, the ESN and 45 
MINI designations, and the SSD-B subf ield are con- 
catenated and applied to the Jumble process. The 
Jumble process produces 2K bits and those bits are 
divided into groups A and B of K bits each. In the mo- 
bile unit group A is used for encrypting outgoing so 
speech, and group B is used for decrypting incoming 
speech. Conversely in the base station, group A is 
used for decrypting incoming speech and group B is 
used for encrypting outgoing speech. FIG. 8 depicts 
the speech encryption and decryption process. 55 



Re-authentication 

At the base station's pleasure, a re-authentica- 
tion process is initiated to confirm that the mobile unit 
which the base station believes is active, is, in fact, 
the mobile unit that was authorized to be active. This 
is accomplished by the base station requesting the 
mobile unit to send a hashed authentication se- 
quence in accordance with FIG. 9. With each such re- 
quest the base station sends a special (RANDU) se- 
quence. The mobile unit creates the hashed authen- 
tication sequence by concatenating the RANDU se- 
quence, the area code MIN2 designation of the mo- 
bile unit, the ESN designation, the MINI designation 
and the SSD-A designation. The concatenated string 
is applied to the Jumble process, and the resulting 
hashed authentication string is sent to the base sta- 
tion. The base station, at this point, is in a position to 
verify that the hashed authentication string is valid. 

Control Message Cryptosystem 

The third security measure deals with ensuring 
the privacy of control messages. In the course of an 
established call, various circumstances may arise 
that call for the transmission of control messages. In 
some situations, the control messages can signifi- 
cantly and adversely affect either the mobile station 
that originated the call or the base station. For that 
reason, it is desirable to encipher (reasonably well) 
some types of control messages sent while the con- 
versation is in progress. Alternately, selected fields of 
chosen message types may be encrypted. This in- 
cludes "data" control messages such as credit card 
numbers, and call redefining control messages. This 
is accomplished with the Control Message Crypto- 
system. 

The Control Message Cryptosystem (CMC) is a 
symmetric key cryptosystem that has the following 
properties: 

1) it is relatively secure, 

2) it runs efficiently on an eight-bit computer, and 

3) it is self-inverting (i.e„ involutory). 

The cryptographic key for CMC is an array, 
TBOX[z], of 256 bytes which is derived from a "secret" 
(e.g., SSD-B subf ield) as follows: 

1 . for each z in the range 0 ^z < 256, set TBOX[z] 
=z, and 

2. apply the array TBOX[z] and the secret (SSD- 
B) to the Jumble process. 

This is essentially what is depicted in elements 
301, 302 and 303 in FIG. 8 (except that the number 
of bits in FIG. 8 is 2K rather than 256 bytes). 

Once the key is derived, CMC can be used to en- 
crypt and decrypt control messages. Alternately, the 
key can be derived "on the fly™ each rime the key is 
used CMC has the capability to encipher variable 
length messages of two or more bytes. CMC's oper- 
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ation is self-inverting, reciprocal, or involutory. That 

is, precisely the same operations are applied to the 

ciphertext to yield plaintext as are applied to plaintext 

to yield ciphertext An involutory function is a function. 

1 5 
which is its own inverse (e.g., x =^ f x=J[T(x'))). Thus, 

a two-fold application of the CMC operations would 
leave the data unchanged. 

In the description that follows it is assumed that 
for the encryption process (and the decryption proc- 10 
ess) the plaintext (or the ciphertext) resides in a data 
buffer and that CMC operates on the contents of that 
data buffer such that the final contents of the data 
buffer constitute the ciphertext (or plaintext). That 
means that elements 502 and 504 in FIG. 10 can be 15 
one and the same register. 

CMC is comprised of three successive stages, 
each of which alters each byte string in the data buf- 
fer. Note that both CMC, as a whole, and the second 
constituent stage of CMC are an involution. When the 20 
data buffer is d bytes long and each byte is designat- 
ed by b (/), for / in the range 0^i^&. 

I. The first stage of CMC is as follows: 

1. Initialize a variable z to zero, 

2. For successive integer values of / in the 25 
range 

a. form a variable q by:g = z© low order 
byte of /, where © is the bitwise boolean 
Exclusive-OR operator, 

b. form variable k by:k =TBOX[q] t 30 

c. update b(i) with: b(i)=b(i)+k mod 256, 
and 

d. update z with: z=b(i)+z mod 256. 

II. The second stage of CMC is involutory and 
comprises: 35 

1 . for all values of / in the range 0^(d-1)/2: 
b(i)=b(i)®(b(d^-i) OR 1), where OR is 

the bitwise boolean OR operator. 
II. CMC's final stage is the decryption that is in- 
verse of the first stage: 40 

1. Initialize a variable z to zero, 

2. For successive integer values of i in the 
range 

a. form a variable q by: g=z© low order 
byte of i, 45 

b. form variable k by:k =TBOX[q], 

c. update z with: z=b(i)+z mod 256, 

d. update b(i) with: b(i)=b(i)~k mod 256. 
The three stage process employed to encrypt and de- 
crypt selected control and data messages is illustrat- 50 
ed in FIG. 10. In one preferred embodiment the first 
stage and the third stage are an autokey encryption 

and decryption, respectively. An autokey system is a 
time-varying system where the output of the system 
is used to affect the subsequent output of the system 55 
For further reference regarding cryptography and au- 
tokey systems, see W. Drff ie and M.E. Hellman, Priv- 
acy and Authentication: An Introduction to Cryptog- 



raphy, Proc. of the I.E.E.E., Vol. 67, No. 3, March 
1979. 

Mobile Unit Apparatus 

FIG. 11 presents a block diagram of a mobile unit 
hardware. It comprises a control block 200 which in- 
cludes (though not illustrated) the key pad of a cellu- 
lar telephone, the hand set and the unifs power con- 
trol switch. Control block 200 is connected to proces- 
sor 210 which controls the workings of the mobile 
unit, such as converting speech signals to digital rep- 
resentation, incorporating error correction codes, en- 
crypting the outgoing digital speech signals, decrypt- 
ing incoming speech signals, forming and encrypting 
(as well as decrypting) various control messages, etc. 
Block 210 is coupled to block 220 which comprises 
the bulk of the circuitry associated with transmission 
and reception of signals. Blocks 200-220 are basical- 
ly conventional blocks, performing the functions that 
are currently performed by commercial mobile tele- 
phone units (though the commercial units do not car- 
ry out encrypting and decrypting). To incorporate the 
authentication and encryption processes disclosed 
herein, the apparatus of FIG. 11 also includes a block 
240 which comprises a number of registers coupled 
to processor 21 0, and a "personality" module 230 that 
is also coupled to processor 210. Module 230 may be 
part of the physical structure of a mobile telephone 
unit, or it may be a removable (and pluggable) module 
that is coupled to the mobile telephone unit through 
a socket interface. It may also be coupled to proces- 
sor 210 through an electromagnetic path, or connec- 
tion. In short, module 230 may be, for example, a 
"smart card". 

Module 230 comprises a Jumble processor 231 
and a number of registers associated with processor 
231. Alternately, in another preferred embodiment, 
only the A-Key is in the module 230. A number of ad- 
vantages accrue from installing (and maintaining) the 
A-key, and the MINI and MIN2 designations in the 
registers of module 230, rather than in the registers 
of block 240. It is also advantageous to store the de- 
veloped SSD field in the registers of module 230. It is 
further advantageous include among the registers of 
module 230 any needed working registers for carry- 
ing out the processes of processor 231. By including 
these elements in module 230, the user may carry 
the module on his person to use it with different mo- 
bile units (e.g. "extension" mobile units) and have 
none of the sensitive information be stored outside 
the module. Of course, mobile units may be produced 
with module 230 being an integral and permanent 
part of the unit. In such embodiments, Jumble proc- 
essor 231 may be merged within processor 210. 
Block 240 stores the unifs ESN designation and the 
various RAND sequences that are received. 

Although the above disclosure is couched in 
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terms of subscriber authentication in a cellular teleph- 
ony environment and that includes personal commu- 
nication networks which wQI serve portable wallet 
sized handsets, it is clear that the principles of this in- 
vention have applicability in other environments 
where the communication is perceived to be not suf- 
ficiently secure and where impersonation is a poten- 
tial problem. This includes computer networks, for ex- 
ample. 



Claims 

1 . A method for processing a set of message signals 
CHARACTERIZED BY: 

receiving a set of first signals; 

creating a set of key signals by hashing 
said set of first signals and a set of second sig- 
nals; 

encrypting said set of message signals 
based on a subset of said set of key signals to 
form a set of first intermediate signals; 

altering said set of first intermediate sig- 
nals in accordance with an unkeyed involutory 
transformation which modifies a first subset of 
said set of first intermediate signals based on a 
second subset of said first intermediate signals to 
form a set of second intermediate signals; and 

decrypting said set of second intermedi- 
ate signals in accordance with a transformation 
which is the inverse of said step of encrypting to 
form a set of encrypted signals. 

2. A method for processing a set of message signals 
CHARACTERIZED BY: 

generating a set of first signals; 

creating a set of key signals by hashing 
said set of first signals and a set of second sig- 
nals; 

encrypting said set of message signals 
based on a subset of said set of key signals to 
form a set of first intermediate signals; 

altering said set of first intermediate sig- 
nals with an unkeyed involutory transformation 
which modifies a first subset of said set of first in- 
termediate signals based on a second subset of 
said first intermediate signals to form a set of sec- 
ond intermediate signals; and 

decrypting said set of second intermedi- 
ate signals with a transformation which is the in- 
verse of said step of encrypting to form a set of 
encrypted signals. 



and 

transmitting said set of encrypted signals. 

4. The method of claim 1 or claims 2 wherein said 
5 set of message signals represents a communica- 
tion system control message and further com- 
prising the steps of: 

receiving said set of message signals; and 
acting on said set of encrypted signals. 

10 

5. An apparatus for processing a set of message 
signals CHARACTERIZED BY: 

means 220 for receiving a set of first sig- 
nals; 

15 means 230 for creating a set of key signals 

by hashing said set of first signals and a set of 
second signals; 

means 501 for encrypting said set of mes- 
sage signals based on a subset of said set of key 

20 signals to form a set of first intermediate signals; 

means 509 for altering said set of first in- 
termediate signals in accordance with an un- 
keyed involutory transformation which modifies a 
first subset of said set of first intermediate signals 

25 based on a second subset of said first intermedh 

ate signals to form a set of second intermediate 
signals; and 

means 513 for decrypting said set of sec- 
ond intermediate signals in accordance with a 

30 transformation which is the inverse of said step 
of encrypting to form a set of encrypted signals. 

6. An apparatus for processing a set of message 
signals CHARACTERIZED BY: 

35 means 210 for generating a set of first sig- 

nals; 

means 230 for creating a set of key signals 
by hashing said set of first signals and a set of 
second signals; 
40 means 505 for encrypting said set of mes- 

sage signals based on a subset of said set of key 
signals to form a set of first intermediate signals; 

means 509 for altering said set of first in- 
termediate signals with an unkeyed involutory 
45 transformation which modifies a first subset of 
said set of first intermediate signals based on a 
second subset of said first intermediate signals to 
form a set of second intermediate signals; and 
means 513 for decrypting said set of see- 
so ond intermediate signals with a transformation 
which is the inverse of said step of encrypting to 
form a set of encrypted signals. 



The method of claim 1 or claim 2 wherein said set 
of message signals represents a communication 55 
system control message and further comprising 
the steps of: 

generating said set of message signals; 



7. The apparatus of claim 5 or claim 6 wherein said 
set of message signals represents a communica- 
tions system control message and further com- 
prising: 

means 210 for generating said set of mes- 



9 



17 



EPO 



sage signals; and 

means 220 for transmitting said set of en- 
crypted signals. 

The apparatus of claim 5 or claim 6 wherein said 
set of message signals represents a communica- 
tions system control message and further com- 
prising: 

means 220 for receiving said set of mes- 
sage signals; and 

means 210 for acting on said set of en- 
crypted signals. 
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FIG. 10 
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